Heartbleed hack is still threat to big companies

Hundreds of thousands of corporate computer servers, routers and other Internet devices worldwide remain vulnerable to the Heartbleed Web-security flaw nearly six months after its existence was disclosed, security researchers say.
More than half of the Forbes Global 2000 listing of the world’s most profitable companies have servers that are still not fully protected, according to the security company Venafi Inc., which electronically probed them Aug. 22.
“We expect that the most sophisticated attackers will use this at the time of their liking,” Kevin Bocek, vice president for security strategy and threat intelligence at the Sandy, Utah-based company, said in a phone interview.
He declined to name any companies found to be vulnerable, though he said they were in the health care, retail, banking and other sectors. The biggest public company known to be hacked through Heartbleed was Community Health Systems Inc., which disclosed Aug. 18 it had been attacked in April and June.
Separately, Errata Security, a consulting company based in Atlanta, Ga., scanned publicly available devices on the Internet on June 20 and found as many as 300,000 routers, servers and other Internet devices were still vulnerable.
The lag in responding to one of the most widespread Internet vulnerabilities ever uncovered means hackers can still intercept user names, passwords and other sensitive data, just like they did by stealing 4.5 million patient records from Community Health earlier this year.
Heartbleed is a programming mistake in OpenSSL, which is used by companies to secure traffic flowing between servers and computers. SSL refers to an encryption protocol known as Secure Sockets Layer and its use is indicated by a closed padlock appearing on browsers next to a website’s address.
Venafi found 1,219 companies on the Forbes Global 2000 had a combined 448,000 servers that weren’t fully secured from Heartbleed.
Although security patches had been applied, encryption keys and digital certificates that provide trust and privacy for consumer protection remained unchanged, Venafi found. Security-research company Gartner Inc. recommends rotating and replacing keys in order to defend against Heartbleed attacks. •

No posts to display